﻿using System;
using System.Collections;

using Org.BouncyCastle.Asn1;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Security.Certificates;
using Org.BouncyCastle.X509.Extension;

namespace Org.BouncyCastle.X509
{
    /// <summary>
    /// A class to Generate Version 3 X509Certificates.
    /// </summary>
    public class X509V3CertificateGenerator
    {
        private readonly X509ExtensionsGenerator extGenerator = new X509ExtensionsGenerator();

        private V3TbsCertificateGenerator tbsGen;
        private DerObjectIdentifier sigOid;
        private AlgorithmIdentifier sigAlgId;
        private string signatureAlgorithm;

        public X509V3CertificateGenerator()
        {
            tbsGen = new V3TbsCertificateGenerator();
        }

        /// <summary>
        /// Reset the Generator.
        /// </summary>
        public void Reset()
        {
            tbsGen = new V3TbsCertificateGenerator();
            extGenerator.Reset();
        }

        /// <summary>
        /// Set the certificate's serial number.
        /// </summary>
        /// <remarks>
        /// Make serial numbers long.  If you have no serial number policy,
        /// make sure the number is at least 127 bits of secure random data.
        /// You will be surprised how ugly a serial number collision can
        /// get.</remarks>
        /// <param name="serialNumber">The serial number.</param>
        public void SetSerialNumber(
            BigInteger serialNumber)
        {
            if (serialNumber.SignValue <= 0)
            {
                throw new ArgumentException("serial number must be a positive integer", "serialNumber");
            }

            tbsGen.SetSerialNumber(new DerInteger(serialNumber));
        }

        /// <summary>
        /// Set the distinguished name of the issuer.
        /// The issuer is the entity which is signing the certificate.
        /// </summary>
        /// <param name="issuer">The issuer's DN.</param>
        public void SetIssuerDN(
            X509Name issuer)
        {
            tbsGen.SetIssuer(issuer);
        }

        /// <summary>
        /// Set the date that this certificate is to be valid from.
        /// </summary>
        /// <param name="date"/>
        public void SetNotBefore(
            DateTime date)
        {
            tbsGen.SetStartDate(new Time(date));
        }

        /// <summary>
        /// Set the date after which this certificate will no longer be valid.
        /// </summary>
        /// <param name="date"/>
        public void SetNotAfter(
            DateTime date)
        {
            tbsGen.SetEndDate(new Time(date));
        }

        /// <summary>
        /// Set the DN of the entity that this certificate is about.
        /// </summary>
        /// <param name="subject"/>
        public void SetSubjectDN(
            X509Name subject)
        {
            tbsGen.SetSubject(subject);
        }

        /// <summary>
        /// Set the public key that this certificate identifies.
        /// </summary>
        /// <param name="publicKey"/>
        public void SetPublicKey(
            AsymmetricKeyParameter publicKey)
        {
            tbsGen.SetSubjectPublicKeyInfo(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKey));
        }

        /// <summary>
        /// Set the signature algorithm that will be used to sign this certificate.
        /// </summary>
        /// <param name="signatureAlgorithm"/>
        public void SetSignatureAlgorithm(
            string signatureAlgorithm)
        {
            this.signatureAlgorithm = signatureAlgorithm;

            try
            {
                sigOid = X509Utilities.GetAlgorithmOid(signatureAlgorithm);
            }
            catch (Exception)
            {
                throw new ArgumentException("Unknown signature type requested: " + signatureAlgorithm);
            }

            sigAlgId = X509Utilities.GetSigAlgID(sigOid, signatureAlgorithm);

            tbsGen.SetSignature(sigAlgId);
        }

        /// <summary>
        /// Set the subject unique ID - note: it is very rare that it is correct to do this.
        /// </summary>
        /// <param name="uniqueID">array of bits to set the SUID to</param>
        /// <param name="iHaveReadTheWarningLabel">you know that it's almost never correct to do this</param>
        public void SetSubjectUniqueID(
            bool[] uniqueID, bool iHaveReadTheWarningLabel)
        {
            tbsGen.SetSubjectUniqueID(booleanToBitString(uniqueID));
        }

        [Obsolete("Doing this is almost never correct")]
        public void SetSubjectUniqueID(
            bool[] uniqueID)
        {
            SetSubjectUniqueID(uniqueID, true);
        }


        /// <summary>
        /// Set the issuer unique ID - note: it is very rare that it is correct to do this.
        /// </summary>
        /// <param name="uniqueID">array of bits to set the IUID to</param>
        /// <param name="iHaveReadTheWarningLabel">you know that it's almost
        /// never correct to do this</param>

        public void SetIssuerUniqueID(
            bool[] uniqueID,
            bool iHaveReadTheWarningLabel)
        {
            tbsGen.SetIssuerUniqueID(booleanToBitString(uniqueID));
        }

        
        
        [Obsolete("Doing this is almost never correct")]
        public void SetIssuerUniqueID(bool[] uniqueID)
        {
            SetIssuerUniqueID(uniqueID, true);
        }


        private DerBitString booleanToBitString(
            bool[] id)
        {
            byte[] bytes = new byte[(id.Length + 7) / 8];

            for (int i = 0; i != id.Length; i++)
            {
                if (id[i])
                {
                    bytes[i / 8] |= (byte)(1 << ((7 - (i % 8))));
                }
            }

            int pad = id.Length % 8;

            if (pad == 0)
            {
                return new DerBitString(bytes);
            }

            return new DerBitString(bytes, 8 - pad);
        }

        /// <summary>
        /// Add a given extension field for the standard extensions tag (tag 3).
        /// </summary>
        /// <param name="oid">string containing a dotted decimal Object Identifier.</param>
        /// <param name="critical">Is it critical.</param>
        /// <param name="extensionValue">The value.</param>
        public void AddExtension(
            string oid,
            bool critical,
            Asn1Encodable extensionValue)
        {
            extGenerator.AddExtension(new DerObjectIdentifier(oid), critical, extensionValue);
        }

        /// <summary>
        /// Add an extension to this certificate.
        /// </summary>
        /// <param name="oid">Its Object Identifier.</param>
        /// <param name="critical">Is it critical.</param>
        /// <param name="extensionValue">The value.</param>
        public void AddExtension(
            DerObjectIdentifier oid,
            bool critical,
            Asn1Encodable extensionValue)
        {
            extGenerator.AddExtension(oid, critical, extensionValue);
        }

        /// <summary>
        /// Add an extension using a string with a dotted decimal OID.
        /// </summary>
        /// <param name="oid">string containing a dotted decimal Object Identifier.</param>
        /// <param name="critical">Is it critical.</param>
        /// <param name="extensionValue">byte[] containing the value of this extension.</param>
        public void AddExtension(
            string oid,
            bool critical,
            byte[] extensionValue)
        {
            extGenerator.AddExtension(new DerObjectIdentifier(oid), critical, new DerOctetString(extensionValue));
        }

        /// <summary>
        /// Add an extension to this certificate.
        /// </summary>
        /// <param name="oid">Its Object Identifier.</param>
        /// <param name="critical">Is it critical.</param>
        /// <param name="extensionValue">byte[] containing the value of this extension.</param>
        public void AddExtension(
            DerObjectIdentifier oid,
            bool critical,
            byte[] extensionValue)
        {
            extGenerator.AddExtension(oid, critical, new DerOctetString(extensionValue));
        }

        /// <summary>
        /// Add a given extension field for the standard extensions tag (tag 3),
        /// copying the extension value from another certificate.
        /// </summary>
        public void CopyAndAddExtension(
            string oid,
            bool critical,
            X509Certificate cert)
        {
            CopyAndAddExtension(new DerObjectIdentifier(oid), critical, cert);
        }

        /**
         * add a given extension field for the standard extensions tag (tag 3)
         * copying the extension value from another certificate.
         * @throws CertificateParsingException if the extension cannot be extracted.
         */
        public void CopyAndAddExtension(
            DerObjectIdentifier oid,
            bool critical,
            X509Certificate cert)
        {
            Asn1OctetString extValue = cert.GetExtensionValue(oid);

            if (extValue == null)
            {
                throw new CertificateParsingException("extension " + oid + " not present");
            }

            try
            {
                Asn1Encodable value = X509ExtensionUtilities.FromExtensionValue(extValue);

                this.AddExtension(oid, critical, value);
            }
            catch (Exception e)
            {
                throw new CertificateParsingException(e.Message, e);
            }
        }

        /// <summary>
        /// Generate an X509Certificate.
        /// </summary>
        /// <param name="privateKey">The private key of the issuer that is signing this certificate.</param>
        /// <returns>An X509Certificate.</returns>
        public X509Certificate Generate(
            AsymmetricKeyParameter privateKey)
        {
            return Generate(privateKey, null);
        }

        /// <summary>
        /// Generate an X509Certificate using your own SecureRandom.
        /// </summary>
        /// <param name="privateKey">The private key of the issuer that is signing this certificate.</param>
        /// <param name="random">You Secure Random instance.</param>
        /// <returns>An X509Certificate.</returns>
        public X509Certificate Generate(
            AsymmetricKeyParameter privateKey,
            SecureRandom random)
        {
            TbsCertificateStructure tbsCert = GenerateTbsCert();
            byte[] signature;

            try
            {
                signature = X509Utilities.GetSignatureForObject(
                    sigOid, signatureAlgorithm, privateKey, random, tbsCert);
            }
            catch (Exception e)
            {
                // TODO
                //				throw new ExtCertificateEncodingException("exception encoding TBS cert", e);
                throw new CertificateEncodingException("exception encoding TBS cert", e);
            }

            try
            {
                return GenerateJcaObject(tbsCert, signature);
            }
            catch (CertificateParsingException e)
            {
                // TODO
                // throw new ExtCertificateEncodingException("exception producing certificate object", e);
                throw new CertificateEncodingException("exception producing certificate object", e);
            }
        }

        private TbsCertificateStructure GenerateTbsCert()
        {
            if (!extGenerator.IsEmpty)
            {
                tbsGen.SetExtensions(extGenerator.Generate());
            }

            return tbsGen.GenerateTbsCertificate();
        }

        private X509Certificate GenerateJcaObject(
            TbsCertificateStructure tbsCert,
            byte[] signature)
        {
            return new X509Certificate(
                new X509CertificateStructure(tbsCert, sigAlgId, new DerBitString(signature)));
        }

        /// <summary>
        /// Allows enumeration of the signature names supported by the generator.
        /// </summary>
        public IEnumerable SignatureAlgNames
        {
            get { return X509Utilities.GetAlgNames(); }
        }
    }
}
